” I had the app that came with, on my phone, an app [avec laquelle] I could unlock the doors, leave the vehicle […] This is an app that all cars should have. »
The application in question: MYCADDILAC, an application developed by OnStar, a subsidiary of General Motors.
This application not only allows you to start the car remotely, but also to know the status of the vehicle and the maintenance that is required: oil change, tire pressure, fuel level, mileage, etc. It also allows you to geolocate your car at all times, regardless of the distance. All this, thanks to a cellular connection.
An always-on app
Last summer, Gilles Veilleux decided to sell his Cadillac and forgot about the application. After a few weeks, he realizes the app is still on his phone. Out of curiosity, he clicks on the icon. The app is still active.
” I did not expect that. Me, I thought that, returned to the concessionaire, the application was going to land. At some point I clicked on that and, oops, found the vehicle. The vehicle was leaving […] on the highway, direction: the United States. »
He can track, in real time, his old SUV as it travels hundreds of miles before ending up at a used car dealership in Saint Louis, Missouri.
Then I rummaged through the inventory and finally found my truck in the showroom.
A few weeks later, the vehicle is moving again. Gilles Veilleux deduces that a new owner is driving the Cadillac. He continues to receive notifications on his phone.
” This application should not fall into the hands of a type of criminals because it could go far. »
Céline Castets-Renard, of the Research Chair in Artificial Intelligence at the University of Ottawa, sees this story as a major security breach.
” There are many studies that show that with two or three geolocation data we are identified, we can know a lot about our life, our intimacy, our habits. […] It can go very, very far. »
It is the right to privacy itself, a fundamental right, which can be seriously compromised by these new technologies. The risk of being followed, revealing our place of worship or the location of the school our children attend are information that can put us or our loved ones in danger, according to Professor Castets-Renard.
A car that starts more than 2000 km away
We go to Saint Louis, Missouri, to meet the new owner, who knows nothing about this story and does not know that his privacy is compromised by an application that is still active.
With the collaboration of Gilles Veilleux in Beauce, we locate the vehicle in real time. In front of a building of 70 units, impossible to ring at all the doors. But luck smiles on us. We come across the new owners of the Cadillac. The Fraction-Williams family, on their way to breakfast.
They are flabbergasted when we tell them that the previous owner can still exercise some control over the white Cadillac.
It’s terrifyinglaunches Markeyta Williams.
The new owners allow us to do a demonstration. Live from Beauce, Gilles Veilleux presses the button. Instantly, the headlights come on and the Cadillac starts. With a simple click, with the tip of your finger, on a cell phone that is more than 2000 km from Saint Louis.
The new owners are in shock.
” wow! It’s incredible! It’s incredible! I am very surprised! I don’t know who’s responsible, but it’s no good. »
This demonstration is sobering, given that around 50% of the models leaving factories around the world are connected cars, according to the consulting firm McKinsey. Almost all new cars, 95%, will be by 2030.
A questioned practice
The dealer who sold the vehicle to the Fraction-Williams family never returned our calls or emails. Impossible to know why the application was not deactivated before the new owners took possession of the Cadillac.
” Already, we could expect that by selling the vehicle the application will simply no longer work. »
General Motors, the ultimate OnStar enforcer, declined our interview request and instead emailed us a short statement.
” GM takes the privacy of customer data seriously and has procedures in place […] ensuring that a customer will notify GM when a sale or transfer occurs. »
These procedures are dictated by the OnStar App Terms of Service. They stipulate in particular that the owner has the obligation
to notify GM in the event of sale or transfer of the vehicle and […] and uninstall the software […] related to this vehicle.
And General Motors is no exception. Other car manufacturers impose similar conditions of use and also ask their customers to notify them as soon as there is a change of ownership.
” We consider that we informed him because we put a small line in a huge contract. It’s a bit easy for companies and sellers to end up abdicating their responsibilities on the consumer’s head. »
Gilles Veilleux did not know that he was required to contact GM to cancel his subscription or that he was required to uninstall his application.
Terms are long […] Often we [les] accept to be able to continue. But from there to reading them, then finally saying, it was my responsibility […] I didn’t know thatsays Gilles Veilleux.
According to Denis Gingras, director of the Laboratory on vehicular intelligence at the University of Sherbrooke, there are technological solutions that would make it possible to plug this breach, by validating, for example, the identity of the owner.
” If we put programmers, analysts, if we put specialists and engineers on the problem, we will solve it […]. The problem, in my opinion, is at the level of complexity with the various organizations, stakeholders […]. It is a political, legislative problem. »
As smart cars have different characteristics and are connected to varying degrees, Denis Gingras believes it would be essential for each car to have some kind of resume, particularly useful at the time of sale.
” The SAAQ should have the profile of the vehicle and determine [si] all the conditions have been met so that the confidentiality of the information, the ability to control the vehicle remotely, all these aspects can be properly transferred, to avoid this kind of flaw. »
A story that ends well
The Fraction-Williams family is still in shock two weeks after our whirlwind visit to Saint Louis, but they consider themselves lucky to have been alerted.
” We are very happy to have been notified. We would never have known otherwise. »
After the demonstration, Ronald Fraction got into his vehicle and called OnStar to deactivate the previous owner’s account and open a new one in his name.
The report by Annie Hudon-Friceau and France Larocque is broadcast on The bill Tuesday at 7:30 p.m. and Saturday at 12:30 p.m. on ICI Télé.